Those who long have been concerned about a lack of consistent principles to guide the implementation of cloud services now have access to a new tool — one that promises to provide a useful guide to categories and controls in this important and expanding area of our practice.

This past summer, the International Organization for Standardization (“ISO”) together with the International Electrotechnical Commission (“IEC”) published ISO/IEC 27018, a new voluntary code of practice for the protection of personally identifiable information (“PII”) that is processed by a cloud-service provider. Used in conjunction with and as an expansion of ISO/IEC 27002, a best-practice guide for implementing information-security management, ISO/IEC 27018 creates a common set of security categories and controls intended specifically for cloud services. As the first-ever security standard for the cloud, ISO 27018 has the following key objectives:

• Help cloud-service providers that process PII to address applicable legal obligations as well as customer expectations.
• Enable transparency so customers can choose well-governed cloud services.
• Facilitate the creation of contracts for cloud services.
• Provide cloud customers with a mechanism to ensure cloud providers’ compliance with legal and other obligations.

While ISO/IEC 27018 does not replace existing laws and regulations, it provides a global common standard, which is particularly helpful for those cloud providers that offer services to customers in different countries. Because the requirements of such laws and regulations governing the protection of PII vary significantly from country to country, and obligations as between cloud-service providers and their customers can differ according to individual contract terms, ISO/IEC 27018 addresses the special challenges faced by cloud services operating internationally.

ISO states that the new standard is “applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.” Still, ISO notes that the new standard should be adopted only as a “starting point.” In other words, not all aspects of the standard will be appropriate for all cloud services, and additional controls not included in ISO/IEC 27018 might be necessary for particular services to develop. Likely sometime next year, ISO will release ISO/IEC 27017, which more broadly will address information-security best practices for cloud computing.

In order to achieve ISO/IEC 27018 certification, a cloud service must undergo an audit by an accredited certification body that ensures that the cloud provider:

• Helps customers comply with their obligations to allow end-users to access, correct and/or erase their personal information.
• Processes PII only in accordance with a customer’s instructions.
• Processes PII for marketing or advertising purposes only with the customer’s express consent.
• Discloses information to law-enforcement authorities only when legally bound to do so.
• Discloses the names of any sub-processors and the possible locations where personal information may be processed prior to entering into a cloud-services contract.
• Helps customers comply with their data breach notification obligations.
• Implements a policy for the return, transfer, or disposal of personal data that specifies the retention period following the termination of a contract.
• Agrees to independent information-security reviews at planned intervals or when significant changes occur.
• Enters into confidentiality agreements with staff who have access to personal data and provide them training.